Because of the BEAST exploit it seems everyone is saying you should stop using AES and instead use RC4.

I am wondering if it wouldn't be better to continue using AES instead for the following reasons:

To exploit BEAST the attacker has to get the client to execute their javascript code. If they can do this then you have an XSS vulnerability in your site. If this is the case wouldn't it be much easier to just hijack the user's session or grab data from the browser window itself and send it that way instead of trying to use BEAST?

RC4, which is what everyone is recommending seems to me to be more vulnerable than AES. It is what is used in WEP. Is the implementation used by browsers more secure?

EDIT

I looked at the link in Jeff's answer. To make this exploit work the attacker must be able to make the client communicate with the site for which it wants to decrypt the traffic. SOP should stop this from happening. An XSS vulnerability on the site or a vulnerability in a browser plugin (such as Java, Flash, Silverlight) can be used to bypass the SOP limitation. In the paper they use a vulnerability in Java to do this.

In summary: SOP should protect you against this, but may not. If you have an XSS vulnerability in your site then this is the least of your problems.

If you haven't done so yet, listening to Security Now Episode 321 "The Beauty of B.E.A.S.T." will give you more background info to help you answer your question. grc.com/securitynow.htm
–
Jan DoggenOct 4 '12 at 14:15

2) RC4 in WEP was vulnerable because of an implementation flaw. AES in TLS 1.0 / CBC mode... exactly the same kind of problem. They're still strong algorithms, they just had an error in how they were used.

Browsers are adapting by sending one-byte packets at the beginning of connections. This makes the remainder filled with random padding and thus negates the ability to use chosen plaintext based upon the CBC initialization.

Should you change ciphers? Well, RC4 defeats the attack, does not present a known new attack surface, and Google seems to be doing quite well with it. For those reasons, I personally would change it.

Steve: Well, and, for example, it uses an extremely good cipher technology called RC4. That's an RSA proprietary cipher which is very good for encrypting as long as you use it correctly. And that's really the key. The foundation of WEP encryption, with this RC4 cipher, is extremely strong. But it was used in a very bad way.

For a web application, unless you know your clients are going to be using IE, then you should probably stick to RC4.

For a non-web application just force the client to use TLS 1.1 or 1.2 and the problem goes away.

There is a client side fix, and it is implemented in SChannel (used by IE), but only in the development version of NSS (used by Firefox and Chrome). Last I heard they didn't want to enable the fix for everyone due to it causing issues when connecting to some older web servers. The only server-side fix is to avoid all block ciphers, which means RC4. Which, despite being a 25 year old stream cipher, has no demonstrated attacks against it, as used in TLS 1.0